Privacy Policy

1. Information We Collect

1.1 Information from Operators

When you register and use the Platform as an operator, we collect:

Account Information:

• Business name and registration details
• Contact person name and title
• Email address and phone number
• Business address
• Payment gateway account information (for integration purposes)
• Bank account details (if applicable for settlements)

Business Information:

• Tour and activity descriptions
• Pricing and availability data
• Photos, videos, and marketing content
• Cancellation and refund policies
• Operating licenses and permits (if provided)

Booking and Transaction Data:

• Booking details and guest information (collected on your behalf)
• Transaction records and payment information
• Refund and cancellation records
• Communication with guests

Usage Information:

• Platform access logs and activity
• Feature usage and preferences
• IP addresses and device information
• Browser type and operating system

1.2 Information from Guests

When guests book through the Platform, we collect on behalf of operators:

Booking Information:

• Full name
• Email address and phone number
• Nationality and country of residence
• Number of participants and participant details
• Special requirements or requests

Payment Information:

• Payment method details (processed through payment gateways)
• Billing address
• Transaction records

Communication Data:

• Messages between guests and operators
• Booking confirmations and notifications
• Feedback and reviews (if provided)

Technical Information:

• IP address and device information
• Browser type and language preferences
• Booking flow interactions

1.3 Information from Other Sources

We may receive information about you from:

• Third-party channels and OTAs where your tours are distributed
• Payment gateway providers
• Social media platforms (if you connect your accounts)
• Public sources such as business registries
• Identity verification services

1.4 Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your login session
• Remember your preferences
• Analyze Platform usage and performance
• Improve user experience
• Provide security features

You can control cookies through your browser settings, but disabling cookies may affect Platform functionality.

2. How We Use Your Information

2.1 To Provide Platform Services

For Operators:

• Create and manage your Account
• Process and facilitate bookings
• Enable payment processing through your payment gateway
• Distribute your inventory to connected channels
• Provide reporting and analytics
• Communicate important Platform updates

For Guests:

• Process booking requests
• Facilitate communication with operators
• Send booking confirmations and reminders
• Process payments through payment gateways
• Provide customer support

2.2 To Improve and Develop the Platform

We use aggregated and anonymized data to:

• Analyze Platform performance and usage patterns
• Develop new features and services
• Identify and fix technical issues
• Conduct research and analytics
• Improve user experience

2.3 For Security and Fraud Prevention

We process information to:

• Verify identity and prevent fraud
• Detect and prevent unauthorized access
• Protect against security threats
• Comply with legal obligations
• Enforce our Terms and Conditions

2.4 For Marketing and Communication

For Operators (with consent):

• Send Platform updates and new feature announcements
• Provide educational content and best practices
• Share industry insights and benchmarks
• Conduct surveys and request feedback

For Guests (with operator permission):

• Send booking-related communications on behalf of operators
• Deliver post-booking follow-ups as configured by operators

You can opt out of marketing communications at any time by clicking "unsubscribe" in emails or contacting us directly.

2.5 For Legal Compliance

We may process information to:

• Comply with applicable laws and regulations
• Respond to legal requests and court orders
• Protect our legal rights and interests
• Resolve disputes and enforce agreements

3. How We Share Your Information

3.1 With Operators and Guests

Operator Access to Guest Data:

• Operators receive guest booking information necessary to deliver their services
• Operators are responsible for protecting guest data in their possession
• Operators must comply with applicable data protection laws

Guest Access to Operator Data:

• Guests receive operator contact information and tour details
• Guests can access booking confirmations and receipts

3.2 With Third-Party Service Providers

We share information with trusted service providers who assist us:

Payment Gateway Providers (Stripe, Xendit, etc.):

• Payment processing and transaction facilitation
• Fraud detection and prevention
• Payment gateway integration and split payment functionality

Channel Partners and OTAs:

• Inventory distribution as authorized by operators
• Booking synchronization across channels
• Availability and pricing updates

Technology Service Providers:

• Cloud hosting and infrastructure (AWS, Google Cloud, etc.)
• Email delivery services
• Analytics and monitoring tools
• Customer support platforms

Professional Services:

• Legal and accounting services
• Security and compliance auditing
• Business consulting

All third-party service providers are contractually obligated to protect your information and use it only for specified purposes.

3.3 For Business Transfers

If Kong undergoes a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

3.4 For Legal Reasons

We may disclose information when required by law or when we believe disclosure is necessary to:

• Comply with legal obligations, court orders, or regulatory requirements
• Protect our rights, property, or safety
• Protect the rights, property, or safety of others
• Investigate fraud or security issues
• Enforce our Terms and Conditions

3.5 With Your Consent

We may share information for other purposes with your explicit consent.

4. Data Retention

4.1 Retention Periods

Operator Data:

• Account information: Retained while your Account is active and for 7 years after termination for legal and accounting purposes
• Booking and transaction records: Retained for 7 years for tax and legal compliance
• Communication records: Retained for 3 years
• Usage logs: Retained for 12 months

Guest Data:

• Booking information: Retained for 7 years for legal and accounting purposes
• Communication records: Retained for 3 years
• Payment information: Not stored by Kong (processed and stored by payment gateways)

4.2 Deletion Requests

You may request deletion of your personal information, subject to:

• Legal obligations to retain certain records
• Legitimate business purposes
• Outstanding financial obligations
• Pending disputes or legal proceedings

After Account deletion, we will anonymize or delete your information within 30 days, except where retention is required by law.

5. Data Security

5.1 Security Measures

We implement appropriate technical and organizational measures to protect personal information:

Technical Safeguards:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest
• Secure authentication and access controls
• Regular security testing and vulnerability assessments
• Firewall and intrusion detection systems

Organizational Safeguards:

• Limited access to personal information on a need-to-know basis
• Employee training on data protection and security
• Confidentiality agreements with employees and contractors
• Incident response and breach notification procedures
• Regular security audits and compliance reviews

5.2 Your Security Responsibilities

You are responsible for:

• Maintaining the confidentiality of your login credentials
• Using strong, unique passwords
• Enabling two-factor authentication (if available)
• Securing devices used to access the Platform
• Reporting suspected security breaches immediately

5.3 Payment Security

Kong does not store payment card information. All payment data is collected and stored by PCI-DSS compliant payment gateway providers. Kong receives only transaction references and confirmation details necessary for booking management.

5.4 No Absolute Security

While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

6. Your Rights Under Malaysian PDPA

Under the Malaysia Personal Data Protection Act 2010 (PDPA), you have the following rights:

6.1 Right to Access

You have the right to request access to your personal information held by us. We will provide:

• Confirmation of whether we hold your personal information
• A copy of your personal information
• Information about how we use and disclose your data

6.2 Right to Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update most information directly through your Account settings.

6.3 Right to Withdraw Consent

Where we process your information based on consent, you have the right to withdraw that consent at any time. This may affect our ability to provide certain services.

6.4 Right to Limit Processing

You have the right to request that we limit processing of your personal information in certain circumstances, such as:

• When you contest the accuracy of the data
• When processing is unlawful but you prefer limitation over deletion
• When we no longer need the data but you need it for legal claims

6.5 Right to Data Portability (where applicable)

You may request a copy of your personal information in a structured, commonly used format for transfer to another service provider.

6.6 Right to Complain

If you believe we have not handled your personal information in accordance with the PDPA, you have the right to lodge a complaint with:

Personal Data Protection Department Ministry of Communications and Digital Level 4-7, Menara MCMC, Off Persiaran Multimedia 63000 Cyberjaya, Selangor Darul Ehsan, Malaysia Email: pdp@pmo.gov.my Website: www.pdp.gov.my

6.7 Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: blake@bookwithkong.com
• Subject line: "Data Privacy Request"

We will respond to your request within 21 days as required under the PDPA. We may require proof of identity before processing your request.

7. International Data Transfers

Kong operates primarily in Malaysia and Southeast Asia. Your information may be transferred to and processed in countries where our service providers operate, including:

• Singapore (AWS, cloud infrastructure)
• United States (certain technology service providers)
• Other countries where our channel partners operate

When transferring data internationally, we ensure appropriate safeguards are in place through:

• Standard contractual clauses
• Service provider security certifications
• Data processing agreements
• Compliance with applicable data protection laws

8. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately so we can delete it.

Booking information may include details about minor participants in tours, but such bookings must be made by adults who have authority to provide that information.

9. Data Controller and Processor Relationships

9.1 Kong as Data Controller

Kong acts as a data controller for:

• Operator account information and Platform usage data
• Booking fee transaction records
• Aggregated analytics and platform performance data
• Marketing and communication preferences

9.2 Kong as Data Processor

Kong acts as a data processor on behalf of operators for:

• Guest booking information collected through operator booking forms
• Communication between operators and guests
• Guest personal information required for tour delivery

Operator Responsibilities:

When you use Kong to collect guest information, you act as the data controller and are responsible for:

• Obtaining necessary consents from guests
• Providing guests with appropriate privacy notices
• Ensuring your data practices comply with applicable laws
• Determining retention periods for guest data
• Responding to guest data subject requests

Kong will assist you in meeting your data protection obligations through Platform features and support.

9.3 Payment Gateway Providers as Data Controllers

Payment gateway providers (Stripe, Xendit, etc.) act as independent data controllers for payment card information and transaction data. Their processing is governed by their own privacy policies and terms of service.

10. Third-Party Links and Services

The Platform may contain links to third-party websites, channels, and services. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of:

• OTA channels where your inventory is distributed
• Payment gateway providers
• Social media platforms
• Other third-party services

We encourage you to review the privacy policies of any third-party services you use.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New features or services
• Changes in applicable laws
• Feedback from users or regulators

Notification of Changes:

• Material changes will be communicated via email at least 30 days before taking effect
• The "Last Updated" date at the top will be revised
• Continued use of the Platform after changes take effect constitutes acceptance

We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Contact:

SUPERSTRING SDN. BHD. 202401016432 (1562282-H) Waldorf Tower Jalan Sri Hartamas 17, 50480 Sri Hartamas, Kuala Lumpur, Malaysia

Email: blake@bookwithkong.com Subject: Privacy Policy Inquiry Website: www.bookwithkong.com

Response Time: We will respond to privacy inquiries within 21 days as required under Malaysian PDPA.

13. Cookie Policy

13.1 What Are Cookies

Cookies are small text files stored on your device when you visit the Platform. They help us provide a better user experience and understand how the Platform is used.

13.2 Types of Cookies We Use

Essential Cookies:

• Authentication and session management
• Security and fraud prevention
• Platform functionality

Performance Cookies:

• Analytics and usage tracking (Google Analytics, etc.)
• Error monitoring and debugging
• Performance optimization

Functional Cookies:

• User preferences and settings
• Language and region selection
• Feature personalization

Marketing Cookies (with consent):

• Advertising and remarketing
• Campaign tracking
• User engagement measurement

13.3 Third-Party Cookies

Some cookies are set by third-party services we use:

• Google Analytics (analytics)
• Payment gateway providers (fraud prevention)
• Channel integration partners (session management)

13.4 Managing Cookies

Browser Settings: You can control cookies through your browser settings:

• Block all cookies
• Block third-party cookies
• Delete existing cookies
• Receive notifications when cookies are set

Impact of Blocking Cookies: Disabling certain cookies may affect Platform functionality, including:

• Inability to stay logged in
• Loss of preferences and settings
• Impaired booking functionality
• Reduced analytics capabilities

Cookie Consent: When you first visit the Platform, we will ask for your consent to use non-essential cookies. You can change your preferences at any time through your Account settings or browser configuration.

14. Specific Regional Provisions

14.1 Malaysia

This Privacy Policy complies with the Malaysia Personal Data Protection Act 2010. Malaysian users have specific rights as outlined in Section 6.

14.2 Other Southeast Asian Jurisdictions

We aim to comply with data protection regulations in all jurisdictions where we operate, including:

• Singapore Personal Data Protection Act (PDPA)
• Thailand Personal Data Protection Act (PDPA)
• Vietnam Law on Cybersecurity
• Philippines Data Privacy Act
• Indonesia Personal Data Protection Law

If you are located in these jurisdictions, you may have additional rights under local laws.

14.3 European Economic Area (EEA) / UK

If you are located in the EEA or UK, you have additional rights under GDPR/UK GDPR, including:

• Right to erasure ("right to be forgotten")
• Right to object to processing
• Right to lodge complaints with supervisory authorities
• Enhanced data portability rights

By using the Kong Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.